By Pete Mercer
March 2024 – The Journal of Healthcare Contracting
By Mark Thill
The revelation was like something out of a spy novel. In October 2013, former Vice President Dick Cheney and his cardiologist, Dr. Jonathan Reiner, told “60 Minutes” that when Cheney got a heart defibrillator in 2007, Reiner ordered the manufacturer to disable the wireless feature, to prevent would-be hackers from interfering with the device and shocking Cheney into cardiac arrest.
Since then, ransomware attacks on healthcare providers have become common, and medical devices are now being scrutinized not only because of the possibility of hackers interfering with them to hurt or kill people, but because devices can be used to “open the floodgates” for hackers to gain access to electronic medical records, personal patient information, even providers’ financial systems.
WannaCry
In the first half of 2020 alone, the Department of Health and Human Services saw a nearly 50% increase in the number of healthcare-related cybersecurity breaches, writes cybersecurity expert Seth Carmody in a recent article in HIT Consultant. Carmody is vice president of regulatory strategy for MedCrypt, a healthcare security provider, and former cybersecurity program manager in the U.S. Food and Drug Administration’s Center for Devices and Radiological Health (CDRH). The healthcare industry’s cyber risk exposure is weak, he says.
Medical device evaluation firm ECRI pointed to cybersecurity challenges as one of its Top 10 Health Technology Hazards for 2021. Third-party software components that are incorporated into medical devices pose unique cybersecurity challenges, and reducing vulnerabilities can be hindered by:
- Difficulty identifying which medical devices include the affected software.
- Delays in receiving guidance while the medical device vendor audits its product lines, validates third-party patches, and develops recommendations for remediating the problem
- Practical challenges associated with applying the patch in a clinical environment where equipment is in continuous patient use.
The WannaCry ransomware attack in 2017 demonstrated how the exploitation of a vulnerability in third-party software could have devastating effects, according to ECRI.
In the United Kingdom, WannaCry infected 1,200 diagnostic devices, caused many others to be temporarily taken out of service to prevent the malware from spreading, and forced five UK hospital emergency departments to close and divert patients, writes John Riggi, senior advisor for cybersecurity and risk for the American Hospital Association, in a recent post on the AHA website. “The FBI considers WannaCry the first ransomware attack to widely target vulnerabilities commonly found in medical devices.”
Cause for concern
A 2016 article in HealthManagement.org by ECRI makes the case for medical devices and equipment as cause for concern.
“Medical devices are no longer just machines attached to or used by the patient. They are often connected to the HER – either hardwired or wirelessly. A typical patient in a critical care unit could easily be connected to 10 or more networked devices. While the information on the medical device may not be useful to a hacker, the medical device can be used as a conduit for accessing patient information in the EHR, like home address and social security number, which can be used to perpetrate identity theft or real theft in the patient’s home while the patient is hospitalized.”
Biomedical engineering presents its own set of dangers, according to ECRI. “In-house biomedical engineering technicians and vendor field-service engineers typically have administrative rights to access performance records and to apply service diagnostics. These are typically not a managed credential and at many hospitals are the same for everyone with this level of access to the device. What happens if a technician or field service engineer leaves the hospital or the vendor? The password leaves with the person, with no hospital policy or procedure to update the access codes.”
Who’s responsible?
It’s not a question of negligence on the part of healthcare providers, medical device manufacturers or the FDA. But the fact is, someone has to address the growing problem. Who’s it going to be? Carmody points out the dilemma.
“Healthcare is optimized for healthcare, not security,” he says. “Expecting [healthcare] professionals to deliver world-class medical care and defend against cyberattacks is like requiring a world-class athlete in one sport to also be world-class in another sport – it can be done, but it’s rare and more than a little unfair. Do we really want companies that are working around the clock to care for those affected by a pandemic to also have to battle cyberattacks up and down the supply chain? If you try to make healthcare professionals security experts, you’ll get worse healthcare and inadequate security.”
Meanwhile, medical device manufacturers find themselves in a dilemma of their own, he says. “[Investing in] the level of commitment for security features that aren’t fully incentivized by the market is a tough sell for business leaders that are competing on clinical features.”
Even the feds have their hands full.
“While it makes sense for the FDA to be arbiters of security, now the FDA also has to assess the security adequacy of each device given its clinical risk context,” says Carmody. “And because they are also part of the healthcare supply chain, their job, and first priority, is healthcare, not security. When push comes to shove, clinical wins.”
That said, the federal government has tried to address medical device cybersecurity for years. Most recently, the FDA appointed Kevin Fu, a University of Michigan associate professor and security advocate, to a newly created leadership position to oversee medical device security. In an interview with MedTech Dive, Fu said the FDA seeks to require that:
- Devices have the capability to be updated and patched in a timely manner.
- Premarket submissions to FDA include evidence demonstrating the capability from a design and architecture perspective for device updating and patching.
- Manufacturers phase in a Cybersecurity Bill of Materials [also referred to as a Software Bill of Materials, or SBOM], that is, a list that includes commercial, open source, and off-the-shelf software and hardware components that are or could become susceptible to vulnerabilities.
- Device firms publicly disclose when they learn of a cybersecurity vulnerability.
‘It takes a village’
“It is important to remember that in the cybersecurity world, ‘it takes a village,’” Peter Wyner, chief information officer for CME Corp., wrote in an email.
“It is essential that manufacturers provide capabilities for any connected medical device to be updated as the threat landscape evolves, but it is equally important that they perform regular penetration testing on their devices, provide timely patches when required, and communicate in a clear, concise, and expeditious manner with their customer and distributor communities when such patches are required.
“Distributors have a role to play propagating information regarding vulnerabilities to their customers when they are notified by manufacturers,” he continues. “CME sees our role as that of trusted partner with many of the country’s largest healthcare providers. We strive to provide information to our customers as it is communicated to us from our vendor partners, and to broker communications between end user and manufacturer when needed.
“End users have probably the most vital role of all – maintaining accurate inventory management and patch management programs to ensure that EVERY device can be located and patched when required. CME can help customers large and small with both periodic and real-time inventory management solutions.”
“Security of a medical device is a joint venture between manufacturers and providers,” Chad Waters, senior cybersecurity engineer, Device Evaluation Group at ECRI, told Repertoire in an email. “Manufacturers should provide the information to assist in the minimizing of risk. This would include security questionnaires and security implementation guidance. Manufacturers should also be moving away from the notion of a medical device as a black box and have transparency about what is being connected to a provider’s environment.
“Some larger providers are already requiring SBOMs during the procurement process. As tools are developed to assist providers in analyzing SBOMs the requests will become more common throughout the sector. Manufacturers should incorporate SBOM generation into their product development processes going forward. Going back afterwards may require more resources.”